They said it was to save kids from porn. Now your passport’s on the dark web — and your NHS record is next.
How Britain’s child-safety law backfired into breaches, dark-web chaos, and a GOV.UK Wallet that will track you from cradle to grave.
THE RATIONALS
On 25 July 2025, the Online Safety Act’s children’s safety duties came into force, and the British internet changed overnight. Parliament had intended to shield children from pornography, self-harm forums, and algorithmic bullying, instead, it required every major platform likely to be accessed by under-18s to implement “highly effective” age verification for harmful content, on pain of fines up to 10 per cent of global turnover. Ofcom, newly armed with the powers of a financial regulator, wasted no time. Within hours, Reddit demanded facial scans or government ID for NSFW sections—those areas of the site marked “not safe for work,” containing adult material such as pornography or graphic imagery—, Spotify locked explicit lyrics and music videos behind biometric checks, and Pornhub gated all UK access with ID checks. Within days, thousands of Spotify users faced account deletion. Safety? No. A national firewall was born.
The first crack appeared at dawn. Proton VPN, a Swiss service long recommended by the National Cyber Security Centre for its no-logs policy, recorded a 1,400 per cent surge in British sign-ups minutes after midnight on July 25. Google searches for “VPN UK” followed the same curve. Three weeks later, the Children’s Commissioner, Dame Rachel de Souza, was on BBC Newsnight declaring virtual private networks “an absolute loophole that needs closing.” Ofcom, reading the mood, issued guidance warning platforms that any encouragement of circumvention tools would be treated as a breach of duty. The message was clear, evasion was now a regulatory offence. The law that gated Pornhub just paved the way for your digital ID
Yet the law’s architects had overlooked a simpler truth. Teenagers, long accustomed to borrowing their parents’ Netflix passwords, proved equally adept at borrowing their parents’ VPN subscriptions. Those without access turned to Tor, and the dark-web mirrors of the very sites the Act sought to regulate began to swell. Cybersecurity firms recorded a doubling, and in some cases tripling, of British traffic to .onion addresses offering unfiltered versions of Reddit, Discord, and adult platforms. Analyses from privacy advocates like the Open Rights Group, drawing on forensic data, indicate that these unregulated proxies hosted significantly more child-abuse, self-harm, and extremist material than the gated sites they replaced—spaces with less moderation and greater risks for predators. Safety, it turned out, had merely been relocated to spaces where moderation was non-existent.
The second crack was more serious. On the very day the Act took effect, a little-known American app called Tea—marketed as a “whisper network” for women—suffered a catastrophic breach. An unsecured Firebase bucket spilled 72,000 images, including 13,000 government-issued identity documents and facial selfies, across 4chan. Three days later, a second Tea breach exposed 1.1 million private messages, including location data. Three months later, Discord followed. A third-party verification firm, contracted to handle British age appeals, lost control of 70,000 passports and driving licences. The Information Commissioner received breach reports and began assessments, but the damage was irreversible, leaked IDs quickly surfaced on dark web forums like BreachForums, ready for resale.
These were not random misfortunes. They were the direct consequence of a legislative mandate that required millions of Britons to upload sensitive documents to private companies with no statutory duty to delete them — a requirement triggered by the Online Safety Act’s age-verification rules. The Home Office’s own figures show that forty-three per cent of British businesses suffered a cyber incident in the past year, the Act had simply created a new category of high-value targets. Privacy campaigners warned of “honeypots,” and they were proved right with depressing speed. The breaches exposed not only personal data but the fragility of the entire verification ecosystem. The Tea app, designed to let women vent anonymously about dates became a digital identity bazaar overnight. Discord, a platform where millions of British teenagers coordinate gaming sessions and schoolwork, suddenly carried the weight of passport-level exposure. The irony was stark, a law meant to protect the young had handed their most sensitive credentials to hackers on a silver platter.
The third and most consequential crack concerns the quiet fusion of the Online Safety Act with the government’s digital-identity programme. The Data (Use and Access) Act, passed in June 2025, elevated the Digital Identity and Attributes Trust Framework to statutory footing and established the Office for Digital Identities and Attributes. Yoti, the biometric firm most favoured by platforms racing to comply, reported a twenty-five per cent increase in traffic and 6.5 million digital-ID downloads in the UK shortly after the OSA’s rollout. Each verification, ostensibly ephemeral, feeds a reusable credential that can be linked to banking, travel, and eventually employment. The Children’s Commissioner may rail against VPNs, but the deeper logic is inexorable, only a centralised, government-backed identity can close the loophole she deplores. The Act’s daily tally of five million age checks has become the proving ground for this infrastructure, turning what was sold as a narrow child-safety tool into the foundation of a broader surveillance apparatus.
Tony Blair, never shy about grand designs, has described digital identity as “a system of identity so that we know precisely who has a right to be here”—a tool he sees as essential to curbing populism and migration. Keir Starmer’s administration, though more circumspect, has set a target of ninety-five per cent adult coverage via the GOV.UK Wallet by 2030. The Online Safety Act serves as the soft launch of a national ID card by stealth. The breaches, the VPN surge, the dark-web migration—all are treated as teething problems rather than fatal flaws. Officials point to the millions of compliant verifications as evidence of success, while quietly expanding the scope of the Digital Identity and Attributes Trust Framework to encompass financial services, rental agreements, and even NHS access. The firewall is not merely blocking content, it is gating citizenship itself.
The British public, historically allergic to identity schemes, has so far acquiesced with a shrug. The young, meanwhile, have voted with their browsers. They stream music through Tor, chat on dark-web Discords, and trade tips on evading facial recognition. The law that was meant to protect them has driven them into spaces where moderation is a memory and predators roam unchecked. The irony is almost too neat. A statute drafted to combat online harms has engineered a parallel internet where those harms flourish unrestrained, all while collecting the biometric breadcrumbs that will one day lock the gate behind them.
History rarely announces its turning points with fanfare. The Online Safety Act arrived amid earnest speeches about duty of care, it may yet be remembered as the moment Britain sleepwalked into a controlled internet. The firewall is already built, brick by digital brick, and the keys are in Whitehall’s hands. The breaches were the warning shots, the VPN bans the enforcement mechanism, and the digital wallet the endgame. What began as a crusade to save children from pixels has morphed into a system that tracks every citizen from cradle to grave. When your NHS record, your rent, and your vote live in a government wallet — will you still call it ‘child safety’?”
The Rational Forum is a reader-supported publication. If you like our work please share, comment or consider becoming a free or paid subscriber, failing that you can always buy us a coffee to help keep us going.
This article (They said it was to save kids from porn. Now your passport’s on the dark web — and your NHS record is next.) was created and published by The Rationals and is republished here under “Fair Use”
Featured image: The Rationals
Leave a Reply